So before we begin you need the following things:
1. The PHP email() function must be enabled.
2. You need a database with the email and password of the user because else they cannot reset their password.

with this code we are setting the variables so they can be used to make a connection with the Database.
we are using try before we make the connection because then we can see if something goes wrong.
if we made a successful connection with the database then no errors will come up.
but if we fail to make a connection with the database then the variable $msg will be set to an error message wich we can echo out if we needed to.

So this code checks if the form was entered or if the user just visited the page accidently
if this code is true then it will run, if it is false then it will not run the code.

if (isset($_POST["ForgotPassword"])) {

So the next code will check if the email address is valid.
if the email address is valid then it will continue running the code.
and if the email is not valid then we will stop the code and show the message: Email is not valid

This code will check if the email is in the database and set $userExists to the results becuase if we cant find any results the
$userExist['email'] is empty and we cant reset a password from a person that doesnt exsist in our database
and if the email is in the database then it will continue running the code and the database connection will be closed since we dont need it anymore.

also we are binding the parameters to the variables . This helps agains sql injections.

This code will set the password to a hashed value of the mail so it will generate a resetcode by using the hash and the email.
after that we are setting a variable pwrurl to the link where we can change the password from.
after that we show a message that the mail have been send and we mail the information to the user so he can reset his password

So now we are checking if the form was entered and filled in by trying to check if the variable is set.
if it is the code will run and else the code will stop running. if the isset returns a true then we will set our variables to the posted values so
we can use them later in the script.

so here we are trying to regenerate the code so we can check if the code that the user is using is a valid code.
we are doing that by regenerating the key by using the same method as in the Change.php form.
after that it checks if the key is valid and if it is then the code will continue running and if the code is not valid then we will show a error message saying
that the code is not valid.

so here we are checking if the passwords match and if they do then we will secure the passwords by encrypting them.
after that we will run a query so the password of the user gets updated to the new password then the connection will be closed since we dont need it anymore and
we will show the user that the password is changed correctly.
if the passwords dont match or if the reset key is not valid then we will show the error messages of that to the user.

also we are binding the parameters to the variables because this helps agains sql injections.

Replies To: Reset Password System

My only concern is, if I'm reading this correctly, it seems like the password reset URL/code is always the same and never expires. Essentially if I go onto a friend's laptop and rip the URL from their history, I could reset their password for them (deviously of course) at a much later time. Of course there are so many ways to give them their code! From temp one-time passwords, temp one-time reset codes (my favorite), and so on, this is an interesting way about it.

My only concern is, if I'm reading this correctly, it seems like the password reset URL/code is always the same and never expires. Essentially if I go onto a friend's laptop and rip the URL from their history, I could reset their password for them (deviously of course) at a much later time. Of course there are so many ways to give them their code! From temp one-time passwords, temp one-time reset codes (my favorite), and so on, this is an interesting way about it.

-Chris

this is just how the system works, if you want you could add some features in it like what you said because this isnt a Advanced Secured Reset Password System

This code is just what I'm looking for, thanks. I've got to figure out how to implement it all though as I'm using Object Oriented PHP with classes and pages split and I'm a true newbie so help very much appreciated if possible(?) working through this.

Can someone kindly reply to add the feature to randomise the salt or expire it at end of session please, or expand on the advanced features to better secure.

And as this is my first post, what's the best practice to actually have someone kindly help implement this code alongside me for my website? That would be much appreciated!

Thanks again!!! />

This post has been edited by andrewsw: 28 August 2015 - 07:08 AM
Reason for edit:: Removed unrelated quote, just press the REPLY button

Perhaps you need to take a step back and bring yourself up to speed on PHP before trying to wedge this into where ever. You also may get enough experience to fill in the advanced parts yourself!

Thanks! Agreed but not currently on my agenda, hence support request please. I've everything else pretty much done though through tutorial videos and understand the basics, so I guess it's just organisation of this for my site and referencing the pages, and too the additional security requirement as that's beyond my understanding.

Mkay. Well, to be clear - the tutorials are provided 'as is' and the author, or other volunteers, are not really on a "support request" based system. If you want something more timely or looking for a tutor the 'post a job' and 'volunteer' sections are a nice place to start.

Mkay. Well, to be clear - the tutorials are provided 'as is' and the author, or other volunteers, are not really on a "support request" based system. If you want something more timely or looking for a tutor the 'post a job' and 'volunteer' sections are a nice place to start.

Ok, I'll see how far I get over the weekend with this. Maybe I can figure it out. Sorry for adding to the thread, I didn't realise I couldn't edit my posts ro would have updated...

Having issues with the Change.php page. When clicking the Reset Request button on my forgot_password.php page, it's just sending me to the change.php page and displaying my default error page. So, it doesn't look like it's connecting to my database and running through the functions to check e-mail etc...